1Password on Mastodon

Master password is in the vault

[Deleted User][Deleted User]
Community Member

I am new to 1password but I noticed when I created my account my master password is in the vault. I wouldn't think that would be safe. What is best practice here on this issue?


1Password Version: 8.9.12
Extension Version: Not Provided
OS Version: Windows 11
Browser:_ Firefox
Referrer: forum-search:Master password

Comments

  • sethretigsethretig
    Community Member

    Same question here.

  • Tertius3Tertius3
    Community Member

    It's as if you're keeping a spare physical key to a physical vault within the vault. It's for convenience, but no security risk, since everything in the vault is encrypted.

  • Dave_1PDave_1P

    Team Member

    Hello!

    Each 1Password account comes with a starter item that contains both your account password and Secret Key. It's absolutely safe to store your account password and Secret Key in your Private vault in 1Password. No one can access your 1Password items without both your account password and Secret Key so they would need to know your account password/Secret Key to get to your account password/Secret Key. A good analogy here is to think of a physical safe: you can store a copy of the key to the physical safe inside of the safe and someone would need to already have a key in order to open the safe and get the copy of the key.

    I hope that helps. 🙂

    -Dave

  • DickieDDickieD
    Community Member
    edited January 17

    ...Except that because of the way 1Password works, there is no re-authentication required to show passwords.
    This means that if you forgot to lock your machine, someone can easily now view both your master password and secret key, without being asked to re authenticate.

    Can I suggest that there is an option to request re authentication before displaying passwords.

  • Tertius3Tertius3
    Community Member

    This means that if you forgot to lock your machine, someone can easily ...

    This means, if this danger actually exists in your working or household environment, you should educate yourself to press the lock hotkey as soon as you are about to stand up from your chair. It's just one hotkey. It will become a unconscious habit if done consistently. This way, there is never an unlocked 1Password if you are about to not be in front of your computer. Don't rely on timeouts or tedious functions, just press the lock key.

    If you request to be asked for the master password every time you use some item, you're essentially asking for a timeout of 0. Isn't that a bit too often? This would get on my nerves.

  • DickieDDickieD
    Community Member
    edited January 18

    @Tertius3 I realise that (and I do lock my machine). I was just commenting on the fact that "other" password managers (e.g. lastpass for one) and most systems do not normally just show you the passwords without some form of re-authentication.
    This re-auth would not stop you from using the passwords in an autofill, the re-auth is only when trying to make them visible, so this is very different from a timeout of 0, I don't want to have to re-auth for every autofill :o.

    At the very least the vault secret key should be protected by this re-auth by default.

    It also may be the case that many people do not realise how easy it would be for someone to get the "all the keys to your vault" without any extra checks..
    I was quite shocked when I noticed that I could show all my passwords so easily.

  • Tertius3Tertius3
    Community Member

    It's a password manager after all. It's supposed to contain passwords. If it's unlocked, it gives access to what it contains. On the other side you're right, it would not physically enhance security because one can always copy an invisible password and paste it into some editor or input field, where it becomes visible, but it helps preventing password leaks in the same way the dots in every password input field do.

    I guess, 1Password hasn't implemented such functionality, because it doesn't actually prevent passwords being extracted, so it isn't a required functionality for a password manager.

  • DickieDDickieD
    Community Member

    @Tertius3 I'm not suggesting LastPass security was great (lol) but it also also asked for re-auth if you wanted to copy a password to the clipboard. Autofill would always work without.
    This makes it much harder for someone to quickly grab your data, and never really caused me a problem as I didn't often have to copy a password.
    If you were needing to do it a lot you could say "Don't ask to re-auth for x mins/hours"

  • Dave_1PDave_1P

    Team Member

    @DickieD

    When you unlock 1Password (using your account password or biometric unlock) your data is decrypted locally so a determined and well-equipped attacker with access to your device would be able to access your information since your vault data is already unlocked and decrypted. To require a "re-auth" after your data is already decrypted would potentially, in this case, be an example of "security theatre" where a feature claims to offer more security on a surface level but in reality doesn't actually offer more protection.

    What I personally do on my device is set the auto-lock time to a short duration so that 1Password locks after a short period of inactivity. I also have biometric unlock enabled so that I can quickly unlock 1Password without having to enter my account password:

    That being said, I've passed along your request to the product team so that they can consider it for future versions of 1Password. 🙂

    -Dave

    ref: IDEA-I-577

  • DickieDDickieD
    Community Member

    @Dave_1P Thanks for the response.

    While I completely understand that this makes absolutely no difference for a determined attacker, this is more about an "interested colleague" who may notice your PC is unlocked and just tries their luck looking at your passwords, leaving them "masked" unless specifically unlocked stops this opportunistic viewing of passwords.

  • Dave_1PDave_1P

    Team Member

    @DickieD

    Can you tell me a little more about why locking the PC itself when you step away from it or locking 1Password, or having 1Password auto-lock more quickly, wouldn't be a better solution? I wouldn't want an "interested colleague" to have access to any of my information in 1Password and not just the passwords so I make sure to lock my Mac when I step away from it. I also have pretty strict auto-lock settings so that 1Password will lock on sleep and lock at a minute of inactivity.

    I look forward to hearing from you. 🙂

    -Dave

  • DickieDDickieD
    Community Member

    @Dave_1P

    It's about layers.

    It's not about one solution necessarily being better than another, it's about multiple layers of protection. Therefore "in the unfortunate event" that I accidentally happen to leave my PC unlocked, (which could happen at some point let's be honest) it would be much more difficult for someone to just "have a look" and either copy a password or be visible to them on the screen.

    For me, auto locking the vault after a short interval would be incredibly frustrating, having to retype my master password every time I wanted to use it. Plus in your example, even 1 minute of inactivity still leaves your account vulnerable for that 1 minute after you get distracted and step away and forget to lock your Mac.

    I'm not defending LastPass, but as I said before, it was actually not possible to see a password within the vault unless you re-entered the master password. (because in normal use you don't ever need to actually see passwords for auto filling a webpage or dragging to an app)
    And even when autofilled into a web page, the password field is masked in the browser, and that is also not possible to copy out of. So someone would have to spend some effort to see or get hold of anything useful, by which time you may well have returned to your desk.

    All this really means is that this is just an extra layer of protection against the casual snooper.
    Having come from LP I was quite surprised how easy it was to copy or view a password from the vault with no form of re-authentication.

    To be honest, if you think it would cause people issues by just adding this functionality, then at least consider adding it as something that could be optionally enabled if the paranoid amongst us wanted this feature.

    Remember, I'm not suggesting that it's security in itself; because it isn't... Just like a masked password field is not really security, but I still hope you agree that masked password fields are worth having,

    At the end of the day it's just another stumbling block to someone to limit exposure of sensitive information.

  • DickieDDickieD
    Community Member

    @Dave_1P I wrote a comprehensive response, but for some reason it vanished. (said something about moderation then disappeared completely)
    I will have a go at writing it again, if it doesn't re-appear soon.

  • sanderkerelsanderkerel
    Community Member

    I am also missing that feature from LastPass. I personally have a distinction between secret and supersecret. At home I used to be quite liberal with leaving my lastpass unlocked. I am not afraid of people in the house being able to log in to my facebook or the online newspaper, those are regular secrets. However, passwords (and notes) related to government stuff or banking required an extra authentication challenge in LastPass, because I consider those to be supersecret.

    With 1password I need to treat everything as supersecret, and set the timeout to 1 minute. It is less convenient for me.

  • DickieDDickieD
    Community Member

    @Dave_1P ... Looks like it's re-appeared :)

  • ag_tommyag_tommy

    Team Member

    @DickieD

    It was probably snagged by the automated spam catcher and someone set it free.

  • DickieDDickieD
    Community Member
    edited January 24

    @ag_tommy LOL... I can't believe you are suggesting my carefully crafted response looked like spam? ;)
    How very dare you. :)

  • ag_tommyag_tommy

    Team Member

    Lol. Not me my friend.

    That automatic spam catcher seems to take steroids from time to time. I've seen it take a liking to users who've been here for a long time and then again to others who have just joined. Sorry for the trouble.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file